When CALEA was expanded in 2005, US universities worried that they would soon …

Share this story

Back in 2005-2006, when CALEA (the Communications Assistance for Law Enforcement Act) was being expanded to cover broadband providers and VoIP companies, libraries and universities raised a massive ruckus over the plan. Their worry was that CALEA would require any network that connected to the public Internet to comply with FBI wiretapping guidelines; universities across the country would be faced with a multibillion dollar bill for upgrading their networks. Now that the new CALEA rules are in effect (the deadline for compliance was Monday), how are universities and libraries handling the issue?

In large part, they aren't. That's because the FCC and the Department of Justice clarified some of the CALEA provisions last year after several educational library groups took them to court. Even after the various rulings were handed down, "much information related to the CALEA order remains confusing and incomplete," according to EDUCAUSE, one of the groups involved in the cases. Despite the vagueness of several key provisions and terms, this much became clear after the court decisions: "with rare possible exceptions, universities, colleges, and libraries are exempt from CALEA."

Networks are exempt from the electronic surveillance rules if they meet two tests: they must be private, and the institution that runs them must not "support" the Internet connection. A "private" network is not actually defined, but legal analysis by educational groups has concluded that universities are private networks so long as they do not offer Internet access to other groups in turn, like municipal organizations or local communities. But this raises a question: how "private" does a private network have to be?

Most of the network traffic on college and university networks is generated by faculty, staff, and students of those institutions, but most schools also provide some public access in libraries and other common spaces. Does this mean that the schools lose their CALEA exemption? Most legal opinions we have seen suggest that it does not, but because there is no hard and fast guidance, some suggest erring on the side of caution. American University stopped offering public Internet access in its library earlier this week for exactly this reason.

Assuming that a school's network is private, the next question concerns the Internet connection. If the line and routing hardware is maintained by a telecommunications company, then the school remains exempt from CALEA. If the school runs its own fiber links to another network or even manages its own gateway router, it may incur obligations under CALEA.

If that happens, schools won't need to replace every router on campus, as was once feared. The gateway router may need to be replaced in order to make it easy to siphon off traffic from one IP address or user and funnel it to the feds, but this work can also be handled by a Trusted Third Party (for a fee, of course). In neither case will the entire network architecture need to be reworked.

In 2005, when the new rules were being proposed, the FCC noted that CALEA would not be extended to libraries "that acquire broadband Internet access service from a facilities-based provider to enable their patrons for customers to access the Internet." The American Library Association worries that this isn't good enough, though, writing in January 2007 that "it is possible the private network connections that serve libraries still could be subject to CALEA obligations" though their connections to regional library networks or universities. Currently, though, it does not appear that most libraries believe they must comply.

Regardless of how CALEA is applied, libraries and universities both have an obligation to comply with government wiretap requests; CALEA simply will make those requests much easier for the feds to make (and it does not currently expand reporting requirements to include e-mail or web browsing information).